<inserted> scribe: wseltzer
schunter: Background
... we published 2 CRs, TPE and TCS
... TPE: If you're browsing the web, you can tell your browser to send signals about your tracking preference
... that's the easy part
... controversy: if a site receives "I don't want to be tracked," what should they do?
... most sites today do nothing
... status: we're at CR, waiting for implementations and use cases
[slide: TPE]
<rvaneijk> Can someone please send a link to the slides in irc?
schunter: the DNT header and the Tracking Status Object
-> https://lists.w3.org/Archives/Public/public-tracking/2016Sep/att-0015/W3C-TPAC-TPWG-Breakout-Intro-v03.pptx Matthias's slides
[slide: User-granted exceptions]
schunter: negotiation, we discussed in the WG that this negotiation can be used in the European context
... for consent to cookies, stored in the browser
... so when I revisit a site, my preferences can be recalled
... site-wide or web-wide excptions
... moneill2_ will tell you a bit about how it works in practice
... vincent_ will talk about regulatory context
... other document, little uptake, is Compliance spec
... that's not interesting
... Implementation uptake: signal is supported in most browsers
... most sites ignore the signal
moneill2_: edge doesn't have the API, IE did
... I'll show you a test page
moneill2_: bouncer lets you grant or block behaviors, expires cookies
https://baycloud.com/bouncerDownload
moneill2_: you can consent, revoke
... this plugin gives transparency as well as user control
... showing you the trackers, letting you consent per-site
schunter: Consent registration is the main point
... saying "please change your mind" to the customer, and recording that consent
<rvaneijk> The Tracking Status Resource (TSR) is an essential element in terms of the mandatory information requirement in the EU legal framework
schunter: to let us move away from cookie banners
Regulatory Contextschunter: Vincent will give us a quick overview of the European regulatory landscape
... initial impetus to the WG came from EU Commission and US FTC, saying please do something
... now their regulations are increasing
Cargill: while this was underway, we had Snowden's PRISM disclosures that took some attention away from consumer tracking
... but consumer regulation might be coming back to attention
... we want approach to be based in science
... this group had a good technical approach.
schunter: it's not an accident that we're aligned with Europe; we were talking about the problem and to regulators
vincent_: current status in EU
... Data Protetion Directive and ePrivacy Directive
... as directives, they must be adapted to 28 countries
... vary. Some countries think cookie IDs is "personal data"
... others "PII"
... different ideas of consent
... e.g. in France, users must interact with web page to consent to cookie being set on browser
... to try to harmonize regulation, art 29 published opinions
... art 29 = group of 28 DPAs in Europe
... differences = why we need a regulation
... May 2016, GDPR. Will be fully applicable May 2018
<rvaneijk> artikel 29 of EU Directive 96/46/EC "establishes" the working group.
vincent_: a Reg, not a Directive, means same text applies in 28 countries
<scribe> ... new: persona data definition includes "online identifiers" indlucing cookie ids
UNKNOWN_SPEAKER: you need consent to collect and process data
... several legal bases, of which consent and "legitimate interests" are most important
... 2009 ePrivacy vs GDPR
... GDPR recital 32
[[(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement ...
scribe: or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a ...
... request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
]]
[highlighted: silence, pre-ticked boxes or inactivity should not therefore constitute consent.
<rvaneijk> REGULATION (EU) 2016/67 http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
schunter: under this reg, you need explicit choice; so you have to click the cookie banner each time
... or use technical means
vincent: and right to revoke
... legitimate interest and right to object (art 21)
[[Art 21. 5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
]]
Cargill: can you object at any time?
... e.g. way down-stream?
vincent: yes
moneill: and it should be erased
vincent: objection might be through automated means
<JoeHallCDT1> dsinger (off-mic): how does the user object?
schunter: if you change DNT:0 to DNT:1 something has to happen
<fwagner> +q
matthias_matthiesen: IAB Europe. If user objects at any time, does that include after processing has commenced, or just before it starts?
Cargill: if halfway through processing, user objects, do you need to retract?
vincent: yes
schunter: there are reasonable limits, but you shoudl be able to withdraw consent
<JoeHallCDT> note that Jonas' sensemaking systems at IBM can redo past inferences once data is removed… not that everyone should go buy that stuff, but that is one technical accomodation to rescinding of processing consent
fwagner: another side condition for consent - ti needs transparent informaiton. without context you cannot give consent.
"machine unlearning"
<JoeHallCDT> :)
schunter: If I revoke consent, at least tracking has to stop
vincent: ePrivacy review
... could result in a directive or regulation
... could rely on DNT. coherent with previous directive
... DPAs support DNT
... could be used to obtain consent, not just object
[slide with lots of text]
[European Data Protection Supervisor; Article 29]
<rvaneijk> Slides Vincent: http://lists.w3.org/Archives/Public/public-tracking/2016Sep/att-0016/Slides_DNT-v4.pdf
Discussionschunter: at least as of 2018, DNT will be useful
<JoeHallCDT> also note that some providers have created pretty neat dynamic tracking code exclusion based on DNT:1: https://lists.w3.org/Archives/Public/public-tracking/2015Oct/0007.html
schunter: what do we do next
fwagner: can you give us an indication whether DNT is compliant with European law
<rvaneijk> Chapter 10 of the GDPR grants the Commission the power to adopt delegated acts (as referred to in Article 12(8) in respect of standardised icons and in Article 43(8) in respect of certification mechanisms).
vincent: I don't know if there's one technical means we can say
schunter: regulators unlikely to say that DNT is only means, but could say DNT is a likely viable solution
fwagner: if I go to DPA and say I intend to use DNT in this way, can I get an answer that I'll be safe?
vincent: that DPAs are pushing for DNT in ePrivacy review is indication that it could comply
<JoeHallCDT> @rvaneijk are you saying that the EC could mandate some sort of machine-readable transmission of data practices? that seems to be a subset of DNT, now, I would think
schunter: DPs operate indpeendently
fwagner: GDPR is one-stop shop principle
aleecia: art29 WP has weighed in formally on prior drafts
... we've gotten 2 rounds of guidance
... I think companies in Europe will be able to get guidance
<rvaneijk> @JoeJallCDT Yes that is possible, but another route may be a decision through the data protection board.
aleecia: In US, DNT is considered as opt-out
<JoeHallCDT> ah, ty, @rvaneijk
aleecia: In Europe, users must consent else they must not be tracked
... W3C documents allow DNT to be viable under European law.
schunter: get companies interested, pilot, evaluate by companies and regulators
... CR would stay CR through implementation experience
dka: I was curious
... good to see regulatory interst; we've also seen companies like Medium that have seen ways to use DNT in their user experience
... is anyone tracking the self-policing? can we provide positive feedback?
... seems fragmented. all the engergy is on blockers.
<JoeHallCDT> FPF maintains a list of DNT respecting sites: https://allaboutdnt.com/companies/
<rvaneijk> https://www.w3.org/wiki/Privacy/TPWG/TPE_Implementation_Report
moneill: there's a page on the wiki ^
schunter: Google had done some anonymizing of users who had DNT set
dka: at Samsung, we have a browser, that currently does not have DNT
... I want to push it back to the engineering team; would like to have the argumentation to do it.
<rvaneijk> Samsung should consider to implement the JavaScript API :)
Cargill: vincent's last slide, there's no explicit reference to self-regulation
<JoeHallCDT> @rvaneijk, meaning that instead of just a dumb DNT:[1,0] setting, they should do the whole thing?
Cargill: "how difficult is it to add this now rather than being penalized for not having"
moneill: quite a few sites in Europe using.
<JoeHallCDT> there some sites that actually block content loading based on DNT:1… not sure those are in the lists
moneill: several thousand sites in Europe
JimBell: seems to me that unless we take some action, we'll end up regulated in some jurisdictions
... suppliers declaration of conformance
... SVOC, VPATS (?)
... probably the only way we're going to avoid regulation
<inserted> scribenick: JoeHallCDT
wseltzer: running down on time for the session...
... helpful to get the state of internal/external affairs
... question to w3c membership:
... what do you want us to do?
... what should be next
... working on a charter extesion so that we can work on what to do next
... we can allow the charter to lapse while maintaining CRs, will return later when we have indications of moving forward next steps to PR and imp. reports, testing usage
... we could re-charter
... under process, we need expression of support, and meet the conditions in the process
... and assure members we have a plan of a path forward
... we know how we are going to get from CR to PR
... Philippe in new role as w3c PM will insist that we have clear deliverables and milestones
schunter: working groups should work
... if we have a plan of what to do and support, we go forward
... if we do not, we will not
dka: what's stopping movement to PR?
... focusing on getting stuff to rec?
... waiting on imps?
... there are a few of them, why wait?
... getting something out there quickly would be much better
... then when the reg. is out, we decide what to do now
schunter: this is my evening job, I have a daytime job
... don't want to just create a document that only sits on a shelf
dka: would point to SVG as an example
... was pushed out, considered dead
... and now is ubiquitous
fwagner: one possible way forward is to do a model implementation
... creating transparency for the users, working with EU regs
... from my perspective, theres [?]
Benedikt: represent Thomson Reuters, aware of GDPR
... DNT is attractive because we can actually talk to regulators about this
... this is something we'd like to stay on the front of
... (vote for re-charter)
aleecia: Dan, we had a call where Jaffe agreed that we had enough imps to move forward
... could promote doc as it is now
... criteria for CR->PR have been fulfilled
... but still not enough
... Jaffe agrees go straight to PR
... agree with that, we'll have a document to work with when a crisis point comes
... if it's still bottled up in committee, it will be harder to get it done
... I see no policy or w3c impediment to putting the PR out there right now
Jaffe: to clarify:
... there are two issues:
<dka> +1 to putting the PR out there.
Jaffe: one is process, one is judgement
... might have said from a formal process view that when we have 2 imps, move forward
... also said there's a judgment call that there needs to be consensus from WG that there needs to be sufficient imp experience
... on the side of servers actually honoring what UAs request, there is work to do
schunter: we can jump through w3c hoops, but it's judgement and energy now
... a WG that consists of only chairs is boring
... can we get support
... e.g., a company saying, we've implemented on a couple hundred sites
dsigner: we could push it out… part of the spec we'd need to remove is the exception calls
... not enough server-side demand for that
... rest could be pushed out
<Zakim> dsinger, you wanted to talk about the API
dka: would be better to get it out there
... then the energy could be put into helping implementers and getting more of them
schunter: tomorrow we have a WG meeting
... important to know who in the room can join us in terms of implementation
... based on who wants to join compliance validation in EU
... we can decide to recharter for 6 months
... what slices of spec to push out when is a secondary consideration
wseltzer: this is not a formal WG meeting
... so can't take decisions, can get a sense of what people want to do
... from w3c Team perspective, want a very clear sense of what we want to do when extending charter
dsinger: don't see a practical difference between rechartering and not
schunter: if you don't have a charter, you don't exist
... to do active experiment studies need a charter
Philippe: difficult for me to judge having just walked in the room
... the charter will need to show that you can be successful
<wseltzer> s/Felipe/Philippe/G
cargill: if we get a reference imp. acceptable to EU regulators, then we have something to go with
... if we get an imp and EU regulators say no, that's failure
schunter: way forward is clear…
... found new people interested in this work
... will take it to the WG and see what folks think about rechartering
... morphs the group from a US marketing group to a EU compliance group
... thanks everyone!
... any other stuff you want to know, ping schunter
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3